Microsoft September Patches: BlueBorne And Others To Watch
Microsoft September Patches: BlueBorne And Others To Watch
Patch Tuesday arrived with a whirlwind of CVE’s, public disclosures and Zero Day exploits. Microsoft alone has resolved 76 unique vulnerabilities across 14 total updates. As many as 11 of the 14 updates are rated as Critical and 3 are rated as Important. There is one Zero Day this month and three Public Disclosures.
Read on for CVE’s of particular interest to us this month.
CVE-2017-8759 – .NET Framework Remote Code Execution Vulnerability
This is the only CVE listed as having been under active attack, though Microsoft does not give any indication of how widespread the attacks may be. According to Microsoft, the vulnerability allows attackers to “take control of an affected system.” Zero Day Initiative suggests this implies that a successful exploit will be executing with elevated privileges. If the user is not configured as a full administrator, the damage would be somewhat limited as the attacker can only perform actions that the user has permission to execute. As it is user targeted, systems will likely be infected by a dodgy attachment or hyperlink through email. Given this is known to be under active attack, and is user targeted, we can’t help but wonder why it’s only been rated as “Important”.
Regardless of the severity, this patch should be a top priority this month as .NET is deployed on virtually every workstation.
CVE-2017-8628 – Microsoft Bluetooth Driver Spoofing Vulnerability
According to Microsoft, this vulnerability was silently released in July and customers who have applied the security updates are protected automatically. Microsoft released the update to protect customers as soon as possible, but withheld disclosure to give other vendors a chance to develop their own updates (and hopefully contain it).
We haven’t seen many patches recently that depend on physical proximity, but Bluetooth attacks are definitely the exception. According to Armis, this vulnerability (now known as “BlueBorne”), allows attackers to take control of devices, access corporate data and networks, penetrate secure “air-gapped” networks, and spread malware laterally to adjacent devices. This is pretty scary stuff, but the scariest part is that it doesn’t require user permission or to even pair with devices – it can simply connect over the air without the user noticing. If you’re using Bluetooth, you’ll want to make sure you know who’s sitting in your office at all times! The catchy name has meant this vulnerability is gaining a lot of press, so this should be hot on the list to patch if you weren’t on top of July’s patch rollout.
CVE-2017-0161 – NetBIOS Remote Code Execution Vulnerability
New to the Microsoft patch to-do list but old news for the Options team. Proving that our 100% patch compliance policy is effective, our cybersecurity team had detected this vulnerability in Net BIOS in the early stages and, while not an imminent threat, this was pre-emptively disabled across our desktop estate. For those who are learning of this vulnerability for the first time, it allows an attacker to execute code on a target system just through sending some specially crafted NetBT Session Service packets. As NetBIOS isn’t a routable protocol, the impact is pretty limited. However, an infected device within a LAN would be enough for it to spread (Wormable). This could also impact multiple virtual clients if the guest OSes all connect to the same (virtual) LAN. According to the Zero Day Initiative, one guest OS could execute code on the others if NetBIOS is enabled.
CVE-2017-9417 – Broadcom BCM43xx allows Remote Code Execution
This patch covers the widely publicised “Broadpwn” vulnerability, allowing remote attackers to execute arbitrary code via unspecified vectors. According to Microsoft, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to send a specially crafted WiFi packet.
While not directly related to desktop patching, this one caught our eye as it could potentially undermine the security for clients accessing corporate data on their smart phones. The Broadcom chip is widely used across today’s iPhones and Android devices so let this be a warning – make sure those critical updates are applied to your phone’s OS too!
With so many critical vulnerabilities to patch this month, across varying software vendors, we’ll be leveraging the Ivanti patch for Windows tool to make sure we hit 100% patch compliance.
Applying all the latest patches gives us base coverage, but we recommend layering up on the security as we do here at Options. For the user-targeted remote code execution vulnerabilities, hackers can only get as far as the user permissions will let them. Our Desktop Management team has monthly controls for who has authorised administrator access and we strongly advise our clients to do the same. Check who has admin access and question if they really need it.
Another layer to add on is spam filters. The most common way for hackers to get in is through email, when unsuspecting users click on fraudulent attachments or follow hyperlinks. While times are calling for stricter than ever spam filters, don’t underestimate the importance of educating your users too. Make them aware of phishing attempts and ensure they verify legitimacy before clicking on that link.
And lastly, with all the software and infrastructure controls you’re investing in, don’t forget about restricting physical access to your office. This live physical pen-test shows just how easy it can be for hackers to walk into your office without your knowledge or permission and take full advantage of vulnerabilities like BlueBorne to access your data. https://twitter.com/i/moments/896186077911949312
Until next month…